Cracking Wi-Fi Protected Access (WPA), Part 1

Contents

Article Description

In this two-part series, Seth Fogie examines the internals of WPA and demonstrates how this wireless protection method can be cracked with only four packets of data. Part 1 outlines the details of WPA as compared to WEP and builds the foundation for Part 2, in which he describes in detail how WPA-PSK can be cracked.

Like this article? We recommend

Credits: In November 2004, Joshua Wright released a tool
called coWPAtty. This tool was instrumental in helping me write this article
because it provided a window into how WPA works—or, in this case,
doesn't work. Without it, the details of the cracking process would have
been much harder to produce in written form. So, thanks, Joshua Wright, for your
work on this project!

WPA Overview

Since the turn of the century, wireless networking has grown from a very
exclusive tech toy into a full-blown phenomenon. For less than $50, anyone who
can plug in a toaster can essentially set up a wireless local area network
(WLAN). The problem with this plug-and-play generation of users is that very few
understand how their data is sent through the air, much less comprehend the
associated risks. Even as I write this, an estimated 40–50% of all
wireless users are not implementing any form of protection. On the
bright side, this percentage is falling, albeit very slowly.

The security problem is exacerbated by the fact that early attempts at
encryption were flawed. Wired Equivalent Privacy (WEP) was found to be
vulnerable to various statistical weaknesses in the encryption algorithm it
employed to scramble data passed over the WLAN. While attempts were made to
correct the problem, it's still a relatively simple feat to crack WEP and
essentially pull the password right out of the air. In addition, WEP suffers
from other problems that make it unacceptable for use in any secure
environment.

The wireless community knew early on that these problems existed. However,
they also realized that it would take years until the standardized correction
was designed and implemented into new hardware. In the meantime, millions of
users needed reliable protection. The
Wi-Fi Alliance
stepped up to the challenge and created an interim "standard" called
Wi-Fi Protected Access (WPA).

WPA did an excellent job of patching the problems in WEP. With only a
software upgrade, it corrected almost every security problem either created or
ignored by WEP. However, WPA also created new problems:

One flaw allowed an attacker to cause a denial-of-service attack, if the
attacker could bypass several other layers of protection.

A second flaw exists in the method with which WPA initializes its encryption
scheme. Consequently, it's actually easier to crack WPA than it is to crack
WEP. This flaw is the subject of this article.